The Web Application Attack and Audit Framework’s (w3af) goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
Version 1.0 brings you important improvements of the framework:
Stable code base, an improvement that will reduce your w3af crashes to a minimum.
Auto-Update, which will allow you to keep your w3af installation updated without any effort.
Web application payloads, for people that enjoy exploitation techniques, this is one of the most interesting things you’ll see in web application security. The developers created various layers of abstraction around an exploited vulnerability in order to be able to write payloads that use emulated syscalls to read, write and execute files on the compromised web server.
PHP static code analyzer, as part of a couple of experiments and research projects, Javier Andalia created a PHP static code analyzer that performs tainted mode analysis of PHP code in order to identify SQL injections, OS Commanding and Remote File Includes. At this time you can use this very interesting feature as a web application payload. After exploiting a vulnerability try: “payload php_sca”, that will download the remote PHP code to your box and analyze it to find more vulnerabilities.